initial commit of file from CVS for smeserver-openvpn-bridge on Sat Sep 7 19:57:25 AEST 2024
This commit is contained in:
Trevor Batley
@@ -0,0 +1,7 @@
|
||||
{
|
||||
my $url = ${'openvpn-bridge'}{'CrlUrl'} || '';
|
||||
if ($url =~ /^http(s)?:\/\/.*$/){
|
||||
$OUT .= "# Update OpenVPN bridge's CRL\n";
|
||||
$OUT .= "5 * * * * root /etc/e-smith/events/actions/openvpn-bridge-update-crl 2>&1 /dev/null\n";
|
||||
}
|
||||
}
|
||||
0
root/etc/e-smith/templates/etc/openvpn/bridge/ccd/.gitignore
vendored
Normal file
0
root/etc/e-smith/templates/etc/openvpn/bridge/ccd/.gitignore
vendored
Normal file
@@ -0,0 +1,7 @@
|
||||
{
|
||||
my $management = ${'openvpn-bridge'}{'management'} || 'localhost:11194:password';
|
||||
my @param = split(/:/,$management);
|
||||
my $pass = $param[2];
|
||||
$OUT = "$pass";
|
||||
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
# Virtual Interface Configuration
|
||||
{
|
||||
my $OUT='';
|
||||
my $protocol = ${'openvpn-bridge'}{protocol} || 'udp';
|
||||
my $port='';
|
||||
if ($protocol eq 'udp'){
|
||||
$port = ${'openvpn-bridge'}{UDPPort} || '1194';
|
||||
}
|
||||
if ($protocol eq 'tcp'){
|
||||
$port = ${'openvpn-bridge'}{TCPPort} || '1194';
|
||||
$protocol = 'tcp-server';
|
||||
}
|
||||
my $tapIf = ${'openvpn-bridge'}{tapIf} || 'tap0';
|
||||
|
||||
$OUT .=<<"HERE";
|
||||
|
||||
port $port
|
||||
proto $protocol
|
||||
dev $tapIf
|
||||
|
||||
HERE
|
||||
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
# Drop down privileges
|
||||
user nobody
|
||||
group nobody
|
||||
chroot /etc/openvpn/bridge
|
||||
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
# Certificates config
|
||||
dh pub/dh.pem
|
||||
ca pub/cacert.pem
|
||||
cert pub/cert.pem
|
||||
key priv/key.pem
|
||||
tls-server
|
||||
|
||||
{
|
||||
|
||||
$OUT .= "tls-auth priv/takey.pem 0\n" if
|
||||
(-e "/etc/openvpn/bridge/priv/takey.pem" &&
|
||||
!-z "/etc/openvpn/bridge/priv/takey.pem");
|
||||
|
||||
}
|
||||
|
||||
# CRL file for certificates verification
|
||||
crl-verify pub/cacrl.pem
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
{
|
||||
#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
|
||||
# need to be changed on both side
|
||||
my $HMAC = ( ${'openvpn-bridge'}{'HMAC'} ) ? ${'openvpn-bridge'}{'HMAC'} : undef;
|
||||
# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
|
||||
# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
|
||||
my $cipher = ( ${'openvpn-bridge'}{'Cipher'} && ${'openvpn-bridge'}{'Cipher'} ne 'auto')? ${'openvpn-bridge'}{'Cipher'} : undef;
|
||||
|
||||
## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
|
||||
my $tlsVmin = ( ${'openvpn-bridge'}{'tlsVmin'} && ( ${'openvpn-bridge'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-bridge'}{'tlsVmin'} : "1.2";
|
||||
# TLS 1.3 encryption settings
|
||||
my $tlsCipherSuites13 = ( ${'openvpn-bridge'}{'tlsCipherSuites13'} ) ? ${'openvpn-bridge'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
|
||||
# # TLS 1.2 encryption settings
|
||||
my $tlsCipher12 = ( ${'openvpn-bridge'}{'tlsCipher12'} ) ? ${'openvpn-bridge'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
|
||||
|
||||
|
||||
|
||||
$OUT .= "#securing control channel\n";
|
||||
$OUT .= "tls-version-min $tlsVmin\n";
|
||||
$OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
|
||||
$OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
|
||||
#$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
|
||||
#$OUT .= "ecdh-curve secp384r1\n";
|
||||
|
||||
# data channel
|
||||
$OUT .= "#securing data channel\n";
|
||||
$OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
|
||||
#auth SHA512
|
||||
$OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
|
||||
|
||||
|
||||
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
# Plugin for user-auth
|
||||
{
|
||||
my $userAuth = ${'openvpn-bridge'}{userAuth} || 'CrtWithPass';
|
||||
if ($userAuth eq 'CrtWithPass'){
|
||||
# This the the old default location of the plugin
|
||||
my $plugin = "/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so";
|
||||
# This is the new (since openvpn 2.3.1-2) of the plugin, for x86
|
||||
if ( -e "/usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so" ){
|
||||
$plugin = "/usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so";
|
||||
}
|
||||
# Same for x86_64
|
||||
elsif ( -e "/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so" ){
|
||||
$plugin = "/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so";
|
||||
}
|
||||
# This is the location for openvpn before 2.3.1-2
|
||||
elsif ( -e "/usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so" ){
|
||||
$plugin = "/usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so";
|
||||
}
|
||||
# Same for x86_64
|
||||
elsif ( -e "/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so" ){
|
||||
$plugin = "/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so";
|
||||
}
|
||||
$OUT .= "plugin " . $plugin . " login\n";
|
||||
}
|
||||
$OUT .= '';
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
# Server mode
|
||||
{
|
||||
my $OUT = '';
|
||||
my $ip = $LocalIP;
|
||||
my $netmask = $LocalNetmask;
|
||||
my $min = ${'openvpn-bridge'}{startPool} || '';
|
||||
my $max = ${'openvpn-bridge'}{endPool} || '';
|
||||
$OUT = "server-bridge $ip $netmask $min $max\n";
|
||||
}
|
||||
@@ -0,0 +1,48 @@
|
||||
# Options
|
||||
{
|
||||
|
||||
my $mtuTest = ${'openvpn-bridge'}{mtuTest} || 'enabled';
|
||||
my $tunMtu = ${'openvpn-bridge'}{tunMtu};
|
||||
my $fragment = ${'openvpn-bridge'}{fragment};
|
||||
my $redirectGW = ${'openvpn-bridge'}{redirectGW} || 'PerClient';
|
||||
my $proto = ${'openvpn-bridge'}{protocol} || 'udp';
|
||||
my $duplicate = ${'openvpn-bridge'}{duplicateCN} || 'disabled';
|
||||
my $passtos = ${'openvpn-bridge'}{PassTOS} || 'enabled';
|
||||
|
||||
if ($proto eq 'tcp'){
|
||||
$mtuTest = 'disabled';
|
||||
$fragment = '';
|
||||
}
|
||||
|
||||
$OUT .=<<"HERE";
|
||||
keepalive 10 120
|
||||
push "dhcp-option DOMAIN $DomainName"
|
||||
push "dhcp-option DNS $LocalIP"
|
||||
push "dhcp-option WINS $LocalIP"
|
||||
|
||||
HERE
|
||||
|
||||
if ($mtuTest eq 'enabled'){
|
||||
$OUT .= "mtu-test\n";
|
||||
}
|
||||
elsif (($mtuTest eq 'disabled')){
|
||||
if ($tunMtu ne ''){
|
||||
$OUT .= "tun-mtu $tunMtu\n";
|
||||
}
|
||||
if (($proto eq 'udp') && ($fragment ne '')){
|
||||
$OUT .= "fragment $fragment\nmssfix\n";
|
||||
}
|
||||
}
|
||||
|
||||
if ($duplicate eq 'enabled'){
|
||||
$OUT .= "duplicate-cn\n";
|
||||
}
|
||||
|
||||
if ($passtos eq 'enabled'){
|
||||
$OUT .= "passtos\n";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
nice 5
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
# Routes
|
||||
|
||||
{
|
||||
|
||||
my $pushRoutes = ${'openvpn-bridge'}{PushLocalNetworks} || 'enabled';
|
||||
my $redirectGW = ${'openvpn-bridge'}{redirectGW} || 'PerClient';
|
||||
|
||||
use esmith::NetworksDB;
|
||||
my $ndb = esmith::NetworksDB->open_ro() ||
|
||||
die('Can not open Networks DB');
|
||||
|
||||
my @networks = $ndb->networks();
|
||||
|
||||
if ($redirectGW eq 'always'){
|
||||
$OUT .= "push \"redirect-gateway def1\"\n";
|
||||
}
|
||||
elsif ($pushRoutes eq 'enabled'){
|
||||
foreach my $network (@networks) {
|
||||
my $route = '';
|
||||
my $addr = $network->key;
|
||||
my $mask = $network->prop('Mask');
|
||||
my $gw = $network->prop('Router') || '';
|
||||
my $vpn = $network->prop('VPN') || '';
|
||||
my $doPush = $network->prop('PushRoute') || 'enabled';
|
||||
if ( ($gw ne '' || $vpn ne '') && $doPush eq 'enabled' ){
|
||||
$route .= "push \"route $addr $mask";
|
||||
$route .= " $gw" if ($vpn eq '');
|
||||
$OUT .= "$route\"\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
# Management interface
|
||||
{
|
||||
my $management = ${'openvpn-bridge'}{'management'} || 'localhost:11194:password';
|
||||
my ($host,$port,$pass) = split(/:/,$management);
|
||||
$OUT ="management $host $port management-pass.txt\n";
|
||||
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
# Clients options
|
||||
{
|
||||
my $OUT = '';
|
||||
my $maxClient = ${'openvpn-bridge'}{maxClients} || '20';
|
||||
my $clientToClient = ${'openvpn-bridge'}{clientToClient} || 'disabled';
|
||||
my $compLzo = ${'openvpn-bridge'}{compLzo} || 'enabled';
|
||||
my $configRequired = ${'openvpn-bridge'}{ConfigRequired} || 'disabled';
|
||||
|
||||
if ($clientToClient eq 'enabled'){
|
||||
$OUT .= "client-to-client\n";
|
||||
}
|
||||
|
||||
$OUT .= "client-config-dir ccd\n";
|
||||
|
||||
if ($configRequired eq 'enabled'){
|
||||
$OUT .= 'ccd-exclusive\n';
|
||||
}
|
||||
|
||||
$OUT .= "max-clients $maxClient\n";
|
||||
|
||||
if ( $compLzo eq 'enabled'){
|
||||
$OUT .= "comp-lzo adaptive\n";
|
||||
$OUT .= "push \"comp-lzo adaptive\"\n";
|
||||
}
|
||||
$OUT .= '';
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
# Log
|
||||
status-version 2
|
||||
status bridge-status.txt
|
||||
{
|
||||
my $OUT = '';
|
||||
my $verb = ${'openvpn-bridge'}{verbose} || '3';
|
||||
$OUT .= "verb $verb\n";
|
||||
}
|
||||
log-append /var/log/openvpn-bridge/openvpn-bridge.log
|
||||
Reference in New Issue
Block a user